Positive Technologies Aims To Positively Stop ICO Hacks

A London cyber-security company that focuses on preventing initial coin offerings (ICO) from being hacked has opened for business.

Positive Technologies seeks to stop cyber-attacks that can siphon off funds and make ransom demands during a critical period in their growth. The service is believed to be the first of its kind to focus on cyber-security protection for all points of risk in the ICO process. These steps include making sure blockchain smart contracts are free from vulnerabilities and logic flaws, that the code used in web applications, servers and mobile applications is secure in advance, and that employees are trained to stop insider threats and threat monitoring is maintained throughout.

With more than $200 billion in capital already raised by ICOs this year, the financial tool is increasingly under the microscope of cyber criminals, who have stolen at least $150M in digital capital alone this year. Attacks exploiting vulnerabilities in the DAO and Parity offerings, for example, saw over $100M of tokens illicitly redirected. CoinDash lost $8M when attackers exploited vulnerabilities in the company’s web applications.

Positive.com analyzes the source code used in the smart contracts issued to investors in exchange for tokens, removing technical vulnerabilities and logic flaws and checking the fixed code in a private blockchain. The tests also include a vulnerability analysis of web and mobile applications, OS and network infrastructure, denying attackers points of entry, as well as training employees to avoid social engineering attacks.

“Recent events have shown that ICOs are a ripe target for cyber attacks,” said Leigh-Anne Galloway, Cyber Resilience Lead at Positive.com. “A highly valuable financial event, which is open to the public and relies utterly on technology from start to finish, is like a red rag to a bull for hackers.”

Galloway talked with Block Tribune about the new service and how ICOs are exploited.

BLOCK TRIBUNE:What are the most common types of attacks on ICOs attempted by hackers?

LEIGH-ANNE GALLOWAY: Vulnerabilities in smart contracts, wallets, and web applications have been used to drain at least $150 million in ICO funds in just over a year. This means cybercriminals have stolen nearly 9.5% of the value of all ethereum ICOs.

BLOCK TRIBUNE: Are these sophisticated criminal organizations, or amateurs trying to create a prank?

LEIGH-ANNE GALLOWAY: When it comes to real money, it’s no prank. When an ICO is hacked, it’s very difficult to know who the perpetrator was because blockchain hides identities. However, we can be sure that whoever the malicious actors are, they’re constantly looking for new targets.

BLOCK TRIBUNE: Have you done any ICO protections that you can mention? What were the vulnerabilities uncovered?

LEIGH-ANNE GALLOWAY: In a recent project, Positive.com revolutionized the security of an ICO in just a couple of days. We had no choice but to work fast, as their launch date was already set and couldn’t be moved. Our detailed security assessment covered their infrastructure, website, and smart contract, which was written in Solidity. We also provided guidance on fixing all the security flaws we’d found and performed follow-up verification testing to confirm they’d followed the recommendations properly. Of course, every ICO is different, so we customize our security services for every client.

BLOCK TRIBUNE:How will your live monitoring of ICOs work? Will you be watching 24/7 for weeks and months?

LEIGH-ANNE GALLOWAY: Our Security Operations Center monitors and responds to any and all attacks throughout an ICO, ensuring attackers cannot cause reputational issues at a critical time by bringing down connected infrastructure, defacing websites or infiltrating networks. And we provide a cloud-based, enterprise grade web application firewall and SIEM (Security Information and Event Management) solution, backed-up with 24/7 monitoring from a Security Operations Center.

BLOCK TRIBUNE: The Titanic proved that no plan is fool-proof. Is there any insurance or assurance if things go wrong?

LEIGH-ANNE GALLOWAY: Digital currencies are like the Wild West – anything can happen on blockchain, and it’s not as decentralized as you may imagine. The Positive.com team has over a decade of cyber-security experience, having worked with some of the world’s largest companies on penetration testing and security deployments. Of course, there’s never a silver bullet in security. But our team’s deep expertise in the field combined with comprehensive technology will arm organizations undergoing an ICO against the brunt of today’s cyberattacks.

BLOCK TRIBUNE: How would you characterize the flaws you discover in the smart contracts – are they easily discovered? Or does it take a particular depth of expertise to uncover them?’

LEIGH-ANNE GALLOWAY: Smart contracts language, i.e. Solidity, has many peculiarities that are difficult to spot. And some features aren’t documented. In order to feel comfortable with the code, you need to understand all the layers from blockchain mechanics and Ethereum virtual machine to the higher-order logic on the application layer. A subtle error in a smart contract may result in the termination of all operations, which may be an ultimate goal for attackers. There have been attempts to formally verify smart contracts, but these technologies aren’t mature enough today, which is why manual audit is the only efficient and precise way of finding vulnerabilities, especially logic vulnerabilities.

BLOCK TRIBUNE: Are your costs fixed, hourly, or determined by the project?

LEIGH-ANNE GALLOWAY: For smart contracts and web application security assessment, a fixed cost is negotiated with each client before starting the project based on scale. Security Operations Center cost is determined on a daily basis, depending on the client’s needs.